Example multicast destination NAT (DNAT) configuration

Example multicast destination NAT (DNAT) configuration

The example topology shown and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units have the following roles:

  • FGT-1 is the RP for dirty networks,
  • FGT-2 performs all firewall and DNAT translations.
  • FGT-3 is the RP for the clean networks,
  • FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM enabled router. This example only describes the configuration of FGT-2. FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams.
  • If the multicast source sends multicast packets with a source and destination IP of and; FGT-3 translates the source and destination IPs to and
  • If the multicast source sends multicast packets with a source and destination IP of and; FGT-3 translates the source and destination IPs to and


Example multicast DNAT topology


To configure FGT-2 for DNAT multicast

1. Add a loopback interface. In the example, the loopback interface is named loopback.

config system interface edit loopback

set vdom root

set ip set type loopback

next end

2. Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated.

config router multicast config interface

edit loopback

set pim-mode sparse-mode config join-group

edit next

edit next



3. In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool:

config firewall ippool edit Multicast_source

set endip set interface port6

set startip next


4. Add the translation security policies.


Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool. The source and destination addresses will need to be previously created address objects. For this example, will be represented by “example-addr_1” and will be represented by “example-addr_2”. You will likely want to use something more intuitive from your own network.

config firewall multicast-policy edit 1

set dnat

set dstaddr example-addr_1 set dstintf loopback

set nat

set srcaddr example-addr_2 set srcintf port6

next edit 2

set dnat

set dstaddr set dstintf loopback

set nat

set srcaddr set srcintf port6

next end

5. Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface.

This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the

FortiGate unit.

config firewall multicast-policy edit 3

set dstintf port7

set srcintf loopback next


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos